The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published new guidance to help public and private sector organizations deal with the increasing ransomware threat, specifically ransomware gangs using double extortion tactics in which sensitive data are located and exfiltrated prior to file encryption.
Double extortion has become the norm in ransomware attacks. When data are stolen, victim organizations are required to pay a ransom to prevent stolen data being sold or published on the gangs’ data leak sites, in addition to paying for the decryptors to recover files. These attacks often see large ransom demands issued. Many companies pay up even when they can recover their data from their own backups.
Defending against these attacks is not only about stopping cyber threat actors from gaining access to the network, it also requires resiliency to be built into systems to limit the harm that can be caused and plans must be developed in advance to be able to recover as quickly as possible.
The guidance document covers the steps that need to be taken to make it harder for ransomware gangs to gain access to the network, best practices to adopt to protect sensitive data, and advice on response and recovery.
“All organizations are at risk of falling victim to a ransomware incident and are responsible for protecting sensitive and personal data stored on their systems,” explained CISA in the guidance document. “This fact sheet provides information for all government and private sector organizations, including critical infrastructure organizations, on preventing and responding to ransomware-caused data breaches.”
CISA suggests the following measures for preventing ransomware attacks:
- Maintain offline, encrypted backups of data.
- Regularly test backups.
- Create, maintain, and exercise a basic cyber incident response plan, resiliency plan, and associated communications plan.
- Mitigate internet-facing vulnerabilities and misconfigurations.
- Employ best practices for use of Remote Desktop Protocol (RDP) and other remote desktop services.
- Conduct regular vulnerability scans.
- Update software and apply patches in a timely manner.
- Ensure that devices are properly configured, and security features are enabled.
- Disable or block inbound and outbound Server Message Block (SMB) Protocol.
- Remove or disable outdated versions of SMB.
- Reduce the risk of phishing emails from reaching end users with strong spam filters.
- Implement a cybersecurity user awareness and training program.
- Practice good cyber hygiene – use AV software, implement application allowlisting, employ MFA, implement cybersecurity best practices.
To protect sensitive data and block data exfiltration, CISA recommends:
- Conducting audits to identify where sensitive data are stored.
- Limit data storage as far as possible and only retain data for the minimum necessary time.
- Implement FTC physical security best practices.
- Implement cybersecurity best practices, including not storing sensitive data on Internet-facing systems, employing firewalls, encrypting sensitive data at rest and in transit, and applying network segmentation.
- Ensure the cyber incident response and communications plans include response and notification procedures for data breach incidents.
A fast and effective breach response is essential for limiting the damage caused in and attack. CISA recommends the following steps when responding to ransomware-related data breaches, starting with securing network operations and stopping additional data loss.
The ransomware response checklist below should then be followed:
- Determine which systems were impacted and immediately isolate them.
- If—and only if—affected devices cannot be removed from the network or the network cannot be temporarily shut down, power infected devices down to avoid further spread of the ransomware infection.
- Confer with your team to develop and document an initial understanding of what has occurred based on preliminary analysis.
- Engage your internal and external teams and stakeholders to inform them of how they can help you mitigate, respond to, and recover from the incident.
- Follow notification requirements as outlined in your cyber incident response plan.